Cracking on iPhone Phoenixdev Tutorial.pdf


Preview of PDF document cracking-on-iphone-phoenixdev-tutorial.pdf

Page 1 2 34525

Text preview


license process
after you install the .deb manually or from cydia, you have to do a respring and the license is verified
online (post request to http://www.phoenix-dev.com/v/shrink/). the response is saved to:
/User/Library/Preferences/com.phoenix.shrink.plist
the license format looks like this (binary mode xml, view from plist editor pro, serial replaced by 0's):

a big serial huh? we will see later why. also phoenix does submit all possible information about your
iphone, even not using it in the licensing process. these are the values that get submitted to his
server:
X-WIFI-ADDR, X-BT-ADDR, X-IMEI, X-SN, X-ECID, X-DEVTYPE, X-DEVVERS, X-PRODVERSION, X-CFVERS

so tell me phoenix, what are you doing with this private info of your customers iphones?

initial disassembling
but now lets start the fun and lets disassemble shrink.dylib in IDA. you can unpack the .deb (7-zip
works fine) or get the dylib from the iphone itself. to get more information and a better view of all
that Objective-C stuff we apply the fixobjc2.idc from KennyTM in IDA which you can find here:
http://networkpx.googlecode.com/svn/etc/idc/fixobjc2.idc
newer IDA versions will do that already for you without the need of an idc script.
from earlier versions and also from general iphone cracking, i knew that at some point the app will get
the UDID of the device - so lets check for that first. looking at the imports in IDA we can quickly see
000000000000EA78 _kLockdownUniqueDeviceIDKey /usr/lib/liblockdown.dylib
this is how it looks in IDA imports window:

there are other ways to get the UDID of the device, but phoenix always used this method.